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The tree automaton completion is an algorithm used for proving safety properties of systems that 
can be modeled by a term rewriting system. This representation and verification technique works 
well for proving properties of infinite systems like cryptographic protocols or more recently on Java 
Bytecode programs. This algorithm computes a tree automaton which represents a (regular) over 
approximation of the set of reachable terms by rewriting initial terms. This approach is limited by the 
lack of information about rewriting relation between terms. Actually, terms in relation by rewriting 
are in the same equivalence class: there are recognized by the same state in the tree automaton. 

Our objective is to produce an automaton embedding an abstraction of the rewriting relation 
sufficient to prove temporal properties of the term rewriting system. 

We propose to extend the algorithm to produce an automaton having more equivalence classes 
to distinguish a term or a subterm from its successors w.r.t. rewriting. While ground transitions are 
used to recognize equivalence classes of terms, £-transitions represent the rewriting relation between 
terms. From the completed automaton, it is possible to automatically build a Rripke structure ab- 
stracting the rewriting sequence. States of the Rripke structure are states of the tree automaton and 
the transition relation is given by the set of e -transitions. States of the Rripke structure are labelled by 
the set of terms recognized using ground transitions. On this Rripke structure, we define the Regular 
Linear Temporal Logic (R-LTL) for expressing properties. Such properties can then be checked using 
standard model checking algorithms. The only difference between LTL and R-LTL is that predicates 
are replaced by regular sets of acceptable terms. 

1 Introduction 

Our main objective is to formally verify programs or systems modeled using Term Rewriting Systems. 
In a previous work [2], we have shown that it is possible to translate a Java bytecode program into a Term 
Rewriting System (TRS). In this case, terms model Java Virtual Machine (JVM) states and the execution 
of bytecode instructions is represented by rewriting, according to the small-step semantics of Java. An 
interesting point of this approach is the possibility to classify rewriting rules. More precisely, there is a 
strong relation between the position of rewriting in a term and the semantics of the executed transition 
on the corresponding state. For the case of Java bytecode, since a term represents a JVM state, rewriting 
at the top-most position corresponds to manipulations of the call stack, i.e. it simulates a method call or 
method return. On the other hand, since the left-most subterm represents the execution context of the 
current method (so called frame), rewriting at this position simulates the execution of the code of this 
method. Hence, by focusing on rewriting at a particular position, it is possible to analyse a Java program 
at the method call level (inter procedural control flow) or at the instruction level (local control flow). 
The contribution of this paper is dual. First, we propose an abstract rewriting relation to characterize 
the rewriting paths at a particular depth in terms. Second, we propose an algorithm which builds a 
tree automaton recognizing this relation between terms. Thus, it is possible for instance to build a tree 
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automaton recognizing the graph of method calls by abstracting the rewriting relation for the top-most 
position of JVM terms. 

The verification technique used in Q, called Tree Automata Completion [5], is able to finitely over- 
approximate the set of reachable terms, i.e. the set of all reachable states of the JVM. However, this 
technique lacks precision in the sense that it makes no difference between all those reachable terms. 
Due to the approximation algorithm, all reachable terms are considered as equivalent and the execution 
ordering is lost. In particular, this prevents to prove temporal properties of such models. However, using 
approximations makes it possible to prove unreachability properties of infinite state systems. 

In this preliminary work, we propose to improve the Tree Automata Completion method so as to 
prove temporal properties of a TRS representing a finite state system. The first step is to refine the 
algorithm so as to produce a tree automaton keeping an approximation of the rewriting relation between 
terms. Then, in a second step, we propose a way to check LTL-like formulas on this tree automaton. 

2 Preliminaries 

Comprehensive surveys can be found in (H for rewriting, and in JHITl for tree automata and tree language 
theory. 

Let & be a finite set of symbols, each associated with an arity function, and let 3C be a countable 
set of variables. P(^, 3C) denotes the set of terms, and 3F{^) denotes the set of ground terms (terms 
without variables). The set of variables of a term t is denoted by i^ar{t). A substitution is a function 
a from 3£ into P{^,X), which can be uniquely extended to an endomorphism of P{^, X). A 
position p for a term t is a word over N. The empty sequence X denotes the top-most position. The set 
Pos(t) of positions of a term t is inductively defined by: 

• Pas® = {A} if t G 5£ 

• Pos(f(h,...,t n )) = {X}U{i.p | 1 < i <nmdpe Pos(ti)} 

If p G Pos{t), then t\ p denotes the subterm of t at position p and t[s] p denotes the term obtained by 
replacement of the subterm t\ p at position p by the term s. A term rewriting system (TRS) M is a set 
of rewrite rules I -> r, where l,r G P(^, X), I 3C , and Yar{l) D far(r). The TRS M induces 
a rewriting relation — >gg on terms as follows. Let s,t G P(^, X) and / — > r G M, s —t'L t denotes 
that there exists a position p G Posit) and a substitution a such that s\ p = la and r = s[ro] p . Note 
that the rewriting position p can generally be omitted, i.e. we generally write s t. The reflexive 
transitive closure of — is denoted by — >%. The set of ^-descendants of a set of ground terms E is 
0g*(E) = {t G \3seE s.t. s -f a t}. 

The verification technique defined in (6l 21 is based on the approximation of M*(E). Note that 
M*(E) is possibly infinite: M may not terminate and/or E may be infinite. The set £%*(E) is generally 
not computable Q. However, it is possible to over-approximate it (6l|5l|9l using tree automata, i.e. a 
finite representation of infinite (regular) sets of terms. In this verification setting, the TRS 8& represents 
the system to verify, sets of terms E and Bad respectively represent the set of initial configurations and 
the set of "bad" configurations that should not be reached. Using tree automata completion, we construct 
a tree automaton B whose language ££{B) is such that «Sf(fi) D£g*(E). If ^(B)nBad = then this 
proves that 3&*{E) Pi Bad = 0, and thus that none of the "bad" configurations is reachable. We now 
define tree automata. 

Let Q be a finite set of symbols, with arity 0, called states such that Q n & = 0. P(J? U Q) is called 
the set of configurations. 
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Definition 1 (Transition, normalized transition, £ -transition). A transition is a rewrite rule c — > q, where 
c is a configuration i.e. c G =^(J^~U Q) and q € Q. A normalized transition is a transition c —> q where 
c = f(qi ,.. . ,q n ), f 6 & whose arity is n, and qi,...,q n G Q. An £-transition is a transition of the form 
q^f q' where q and q' are states. 

Definition 2 (Bottom-up nondeterministic finite tree automaton). A bottom-up nondeterministic finite 
tree automaton (tree automaton for short) is a quadruple A = {^,Q,Qf ,AUA e ), where Qp C Q, A is a 
set of normalized transitions and A e is a set of Z-transitions. 

The rewriting relation on 3~(.<p\JQ) induced by the transitions of A (the set AUA e ) is denoted by 
— ^AuA e - When A is clear from the context, — >-aua £ will also be denoted by — >a- We also introduce — > A 
the transitive relation which is induced by the set A alone. 

Definition 3 (Recognized language, canonical term). The tree language recognized by A in a state q 
is J£(A,q) = {t £ J7(J?) I t — >* A q}. The language recognized by A is S£(A) = \} q ^Q F -^[A^q). A tree 
language is regular if and only if it can be recognized by a tree automaton. A term t is a canonical term 
of the state q, ift — > A q. 

Example 1. Let A be the tree automaton (^,Q,Qp,A) such that J? = {f,g,a}, Q = {^0,^1,^2}. 
Qf = {qo}, A = {/(<?o) -> <7o,g(<7i) qo,a qi,b -»• #2} and A e = {q 2 -> q\}. In A, transitions 
are normalized. A transition of the form f(g(qi)) —> qo is not normalized. The term g(a) is a term 
of 3F(J^ U Q) (and of ) and can be rewritten by A in the following way: g(a) — > A g(q\ ) — > A qo- 

Hence g(a) is a canonical term of q\. Note also that b — >a qi qi- Hence, Sf(A,qi) = {a,b} and 
Se(A) = J?(A,q ) = {g(a),g(b),f(g(a))J(f(g(b))),. . .} = {f* (g([a\b}))}. 



3 The Tree Automata Completion with £ -transitions 

Given a tree automaton A and a TRS ffl, the tree automata completion algorithm, proposed in O |H, 
computes a tree complete automaton A*^ such that Jf(A%) = M*(J£(A)) when it is possible (for some of 
the classes of TRSs where an exact computation is possible, see HI), and such that Jz?(A^,) D M*(J£(A)) 
otherwise. In this paper, we only consider the exact case. 

The tree automata completion with £-transtions works as follow. From A = A ^, completion builds a 
sequence A^,A^, ■ ■ -A k ^ of automata such that if s € Jz?(A'^) and s t then t € Jz?(A J 1 ). Transitions 
of A',%, are denoted by the set A' U A e . Since for every tree automaton, there exists a deterministic tree 
automaton recognizing the same language, we can assume that initially A has the following properties: 

Property 1 (— deterministic). If A contains two normalized transitions of the form f(qi,. ■ ■ ,q n ) — > q 
and f(q\ ,q n ) — > q', it means q = q'. This ensures that the rewriting relation — is deterministic. 

Property 2. For all state q there is at most one normalized transition f(qi,...,q„) q in A. This 
ensures that if we have t — q and t' — >^ q then t = t'. 

If we find a fixpoint automaton A^ such that (J?f(A*,)) = J2f(A^), then we note A^ = A^ and we 
hme^(A* m )DM*{^{A%)) 0. To build A^ 1 fromA^, we achieve a completion step which consists of 
finding critical pairs between — y@ and — > A t . To define the notion of critical pair, we extend the definition 
of substitutions to the terms of !7(J^ U Q). For a substitution a : h-> Q and a rule /->r£^,a critical 
pair is an instance la of / such that there exists q € Q satisfying la — >* Ai q and la — ra. Note that 

since M, A'^ and the set Q of states of A'^ are finite, there is only a finite number of critical pairs. For 
every critical pair detected between & and A 1 ^ such that we do not have a state q' for which ra — ^ q' 
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Figure 1 : A critical pair solved 

and q' — > q G A' e , the tree automaton A^ 1 is constructed by adding new transitions ro — >^ q' to A' and 
q' — > q to Ag such that A J 1 recognizes ro in q, i.e. ro — >* +1 q, see Figure Q] It is important to note that 

we consider the critical pair only if the last step of the reduction lo — >*, ■ is the last step of rewriting is 
not a £-transition. Without this condition, the completion computes the transitive closure of the expected 
relation A e , and thus looses precision. The transition ro — > q' is not necessarily a normalized transition 
of the form f(qi ,q n ) — > q' and so it has to be normalized first. Instead of adding ro — > q' we add 
4- (ro — > q') to transitions of A'. Here is the \, function used to normalize transitions. Note that, in this 
function, transitions are normalized using new states of Q ne w 

Definition 4 (\.). Let A = {<^,Q,Qp,ALiA e ) be a tree automaton, Q new a set of new states such that 
Qf^Qnew = 0. s £ £^(^L)Q) and q' G Q. The normalization of the transition s — > q' is done in two 
mutually inductive steps. The first step denoted by 4- (s — > q' \ A), we rewrite s by A until rewriting 
is impossible: we obtain a unique configuration t if A respects the property \T\ The second step \! is 
inductively defined by: 

• |' (f(t l ,...,t n )^q\A)=AU{f(t l ,...,t n )^q}ifVi=l...n: t t G Q 

• \! (f(h , . . . ,t n ) — > q | A) =| (f(h,. . . ,qi, . .. ,t n ) — > q \ \! (t t — > qi \ A) ) where tj is subterm s.t. 
U G 3T(& UQ)\Q and q t G Q new . 

Lemma 1. If the property\l]holds for A'^, then it holds also for A'^ 1 . 

Intuition. The determinism of — is preserved by A, since when a new set of transitions is added to 
A for a subterm we rewrite all other subterms tj with the new A until rewriting is impossible before 
resuming the normalization. Then, if we try to add to A a transition f(q\ ,...,q n )—tq though there exists 
a transition f(qi,. ■ ■ ,q n ) —> q' £ A, it means that the configuration f(q\ : . ■ ■ ,q n ) can be rewritten by A. 
This is a contradiction : when we resume the normalization all subterms tj can not be rewritten by the 
current A. So, we never add a such transition to A. The normalization produces a new set of transitions 
A that preserves the property [TJ □ 

It is very important to remark that the transition q' — > q in Figure [JJ creates an order between the 
language recognized by q and the one recognized by q'. Intuitively, we know that for all substitution 
o' : 3C — > 3T(^) such that lo' is a term recognized by q, it is rewritten by ffl into a canonical term {ro') 
of q' . By duality, the term ro' has a parent (lo') in the state q. Extending this reasoning, A e defines a 
relation between canonical terms. This relation follows rewriting steps at the top position and forgets 
rewriting in the subterms. 

Definition 5 (--->). Let & be a TRS. For all terms u v, we have u v iff there exists w such that 
u —>% w, w — v and there is not rewriting on top position X on the sequence denoted by u w. 

In the following, we show that the completion builds a tree automaton where the set A g is an abstrac- 
tion — of the rewriting relation — for any relevant set 
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Theorem 1 (Correctness). Let be A*^ a complete tree automaton such that q' —Y q is a e-transition of 
A%. Then, for all canonical terms u v of states q and q' respectively s.t. q' — Y q, we have : 

u — : >■ v 



q. 



First, we have to prove that the property Q] is preserved by completion. To prove theorem [T] we need 
a stronger lemma. 

Lemma 2. Let be A*^ a complete tree automaton, q a state of A*^ and v G Jzf(A^,g). Then, for all 
canonical term u of q, we have u — Y*^ v. 

Proof sketch. The proof is done by induction on the number of completion steps to reach the post-fixpoint 
A^ : we are going to show that if A 1 ^ respects the property of lemma|2j then A'^ 1 also does. 

The initial A^ respects the expected property : we consider any state q and a canonical term t of q: 
since no completion step was done, A\ has no £ -transitions. It means that for all term t' —y^ q. Thanks 
to the property 13 we have t = t' and obviously t — Y*^ t' . 

Now, we consider the normalization of a transition of the form ro —Y? q' such that la — Y* t q with A 

the ground transition set and A £ the £ -transition set of A'^. We show that the property is true for all new 
states (including q'). Then, in a second time, we will show that it is true for state q, if we add the second 
transition of completion: q' —Y q. 

Let us focus on the normalization of \! {ro — Y q' | A) where for any existing state q and for all 
u v G such that v — *-aua e Q and u — q, we have u — y\ v. We show that for all t G 3T(3F U Q), if 

we have A' =\! (t — Y q' | A), for all u v G such that v — s>a'ua e 4 an d u — > A ' q, we have u — >*^> v. 

The induction is done on the number of symbols of & used to build t. 

First case \! (t — >q \ A) where t = f(q\ ,...,?„): we define A' by adding the transition f(qi,. ■ ■ ,q n ) — >• 
q to A, where q is a new state. Then, for all substitutions a' : Q i-> 3?{&) such that to' ^aua £ 9> and 
all substitutions o" . 3?{&) such that to" — ^a' 9 we a i m at proving that fa" — >^ fa'. Since each 
state qi is akeady defined, using the hypothesis on A we deduce that o"(qi) — >^ &'{qi)- This implies that 
to" — to', the property also holds for A'. 

Second case \! (t — > q \ A) where t = f(t\ ,...,?„): we select a subterm of f, obviously the number 
of symbols is strictly lower to the number of symbols of t. By induction, for the normalization of 
\! (tj — > qt j A) we have a new set A' that respects the expected property. Then, we normalize t into 
t' = f(t[,. ,t' n ), the term obtained after rewriting with A' thanks to L Since f,- ^ Q, the number 

of symbols of & in f' = /(fi ,qi,. . . ,t n ) is strictly smaller than the number of symbols of in ?. 
Note that rewriting t' with A' can only decrease the number of symbols of & in t' . Since t' has a 
decreasing number of symbols and A' respects the property we can deduce by induction that we have 
A" =\! (t 1 — Y q | A') such that for all v — 5-A"uA f 4 and u — > A " <7> u v. 

So, we conclude that the normalization \! (ro —Y q' \ A) computes A' the set of ground transitions for 
A l m . For all terms u v such that u — >a'ua c <?' and w — >a' we have u -^t% v. 

Now, let us consider the second added transition q' — Y q to A e , all canonical terms ro" of q', and 
all terms lo'" G Jz?(A^,,g) such that lo'" — Ym ro'" and ro'" = ro" . By hypothesis on A l 9 , we know 
that every canonical term u of q we have u — lo'". By transitivity, we have u — >*g ro". The last 
step consists in proving that for all terms of all states of A'^ 1 , the property holds: this can be done by 
induction on the depth of the recognized terms. □ 



104 



Verifying Temporal Regular Properties of Abstractions of Term Rewriting Systems 



The theorem Q] is shown by considering the introduction of the transition q' — > q. By construction, 
there exists a substitution a : 3£ i-> Q and a rule Z — > r G ^ such that we have /a — ^* g and ra — g'. 
We consider all substitution <j' : X h-> such that for each variable x S ^(Z), c'(;c) is a canonical 

term of the state o(x). Obviously, using the result of the lemma 12 for all canonical term u of q we have 
u — Vgg lo' . Since the last step of rewriting in the reduction lo —>* A * q is not a £-transition, we also deduce 
that lo' is not produced by a rewriting at the top position of u whereas it is the case for ro' and we have 
u — *^ ro' . 

Theorem 2 (Completeness). Let A% be a complete tree automaton, q,q' states ofA*^, and u,v £ J7(J£~) 
such that u is a canonical term of q and v is a canonical term of q'. If u v then there exists a 

e-transition q' — > q in A%%. 



Proof sketch. By definition of u — - »^ v there exists a term w such that u — w and and there exists 
a rule /->r£^ and a substitution a : 3C i-> ^(J^) such that w = Za and v = ra. Since A^ is a 
complete tree automaton, it is closed by rewriting. This means that any term obtained by rewriting any 
term of Jz?(A^,g) is also in Jzf(A^,,g). This property is true in particular for the terms u and w. Since 
w is rewritten in q by transitions of A\, we can define a second substitution o' : X h-> g such that 
Za^*» 

and Za' 

preserved by completion steps, we can deduce that q" = q' which means q' — >• q. □ 



Za' — ^* q. Using again the closure property of A^,, we know that the critical pair lo' — ro' 
->^» q is solved by adding the transitions ro' — >-j[, g" and g" — > g. Since the property Q] is 



Example 2. 7b illustrate this result, we give a completed tree automaton for a small TRS. We define 
as the union of the two sets of rules St\ = {a — > b, b—tc} and ffli = {/(c) — > g(a), g(c) — > h(a), Zi(c) 
f(a)}. We define initial set E = {f(a)}. We obtain the following tree automaton fixpoint : 



QF = {q/}, A: 



a 


->■ q a 


b 


->■ ib 


c 


-> q c 


/(««) 


-> 


g(q a ) 


-» ?g 


< h(q a ) 


-> qh 



<7fi 

qh 
is 



qh 
c u 
q g 
qh 



If we consider the transition qh — > q g , and its canonical terms h(a) and g(a) respectively, we can 
deduce g(a) —+$g h(a). This is obviously an abstraction since we have g(a) — >\$ g{b) — >]g g{c) h(a). 

In the following, we use the notation — »^ to specify the relation for a relevant subset M\ of M. For 
instance, u — v denotes that there exists w such that u — w with no rewriting at the A position of u 
and w — v. In example^ we can say that g(a) — h(a). 



4 From Tree Automaton to Kripke Structure 

Let A% = (^(^), Q, Qf , A U A e ) be a complete tree automaton, for a given TRS ffl and an initial lan- 
guage recognized by A. A Kripke structure is a four tuple K = (S,So,R,L) where S is a set of states, 
So C S initial states, R C S x S a. left-total transition relation and L a function that labels each state with 
a set of predicates which are true in that state. In our case, the set of true predicates is a regular set of 
terms. 
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Definition 6 (Labelling Function). LetAp = (£?(^),Q,A) be the structure defined from Ajg by removing 
e-transitions and final states. We define the labelling function L: q i— > (.T Q, {q}, A) as the function 
which associates to a state q the automaton Ap where q is the unique final state. We obviously have the 
property for all state state q : 

Vt€Sf(L(q)), t^{ h q 

Now, we can build the Kripke structure for the subset Mi of M on which we want to prove some 
temporal properties. 

Definition 7 (Construction of a Kripke Structure). We build the 4-tuple (S, So,R,L)from a tree automaton 
such that we have S = Q, So C S is a set of initial states, R{q,q') if q' — > q G A e and the labelling function 
L as just defined previously. 

Kripke structures must have a complete relation R. For any state q whose have no successor by R, we 
had a loop such that R(q,q) holds. Note that this is a classical transformation of Kripke structures 0. 
A Kripke structure is parametrized by the set So- It defines which connected component of R we are 
interested to analyze. For instance, to analyze the abstract rewriting at the top position of terms in 
Jzf(A^), we define set So = Qf (the set of final states of A^), since all canonical terms of final states 
are initial terms. For all abstract rewriting at a deeper position p, we need to define a set Sub of initial 
subterms considered as the beginning of the rewriting at the position p. Then the set So will be defined 
as So = {q | 3? G Sub, t — q}. 

Kripke structure models exactly the abstract rewriting relation — for the corresponding subset 

Theorem 3. LebeK= (S, So, R,L) a Kripke structure built from A*^. For any states s, s' such that R(s,s') 
holds, there exists two terms u G L(s) and v G L(s') such that u v. 

Proof. Here, the proof is quite trivial. It is a consequence of the theorem Q] which can be applied on the 
relation R of the Kripke structure. □ 

In Example [2j if we want to verify properties of M\ or M2, we need to consider a different subset 
of A e corresponding to the abstraction of the relation rewriting —*^ t . Figures |2] and [3] show the Kripke 
structures corresponding to those abstractions. Note that in figure |2j a loop is needed on state c to have a 
total relation for K\ . 




Figure 2: Kripke structure K x for — Figure 3: Kripke structure K 2 for 

The set So of initial states depends of the abstract rewriting relation selected. For example, if we want 
to analyze — - >^> 2 (or --->,«,), we define So = {q/} (resp. So = {q a })- 

5 Verification of R-LTL properties 

To express our properties, we propose to define the Regular Linear Temporal Logic (R-LTL). R-LTL 
is LTL where predicates are replaced by a tree automaton. The language of such a tree automaton 
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characterizes a set of admissible terms. A state q of a Kripke structure validates the atomic property P 
characterized by a tree automaton Ap if and only if one term recognized by L(q) must be recognized by 
Ap to satisfy the property. More formally: 

K(Q,Q F ,R,L),q^P &(L(q)) ni?(A P ) + 

We also add the operators (A, V, X, F, G, U, R) with their standard semantics as in LTL to keep 
the expressiveness of the temporal logic. More information about these operators can be found in Q. 
Note that temporal properties do not range over the rewriting relation — v& but over its abstraction — 
It means that the semantics of the temporal operators has to be interpreted w.r.t. this specific relation. 
For example, the formula G({f(d)} => X{g(a)}) on Kj (for more clarity, we note predicates as sets 
of terms): the formula has to be interpreted as : for all q q', if K2, q \= {f{a)} and R(q,q') then we have 
K2, 4 N is{ a )}- I n the rewriting interpretation the only term u such that f(a) — u is u = g(a). 

We use the Biichi automata framework to perform model checking. A survey of this technique can 
be found in the chapter 9 of 0. LTL (or R-LTL) formulas and Kripke structures can be translated into 
Biichi automata. We construct two Biichi automata : Bk obtained from the Kripke structure and Bl 
defined by the LTL formula. Since the set of behaviors of the Kripke structure is the language of the 
automaton Bk, the Kripke structure satisfies the R-LTL formula if all its behaviors are recognized by 
the automaton Bl- It means checking ££(Bk) C S£(B{). For this purpose, we construct the automaton 
Bl that recognizes the language ^£(Bl) and we check the emptiness of the automaton B n that accepts 
the intersection of languages J£(Bk) and S£(B{). If this intersection is empty, the term rewriting system 
satisfies the property. This is the standard model-checking technique. 

Bm and Bk are classically defined as 5-tuples: alphabet, states, initial states, final states and transition 
relation. Generally, the alphabet of Biichi automata is a set of predicates. Since we use here tree automata 
to define predicates, the alphabet of Bk and Bl is £ the set of tree automata that can be defined over 
3?~{^). Actually, a set of behaviors is a word which describes a sequence of states: if % = sqS\S2Sj, ■ ■ ■ 
denotes a valid sequence of states in the Kripke structure, then the word %' = L(sq)L(s\)L(s2) . . . is 
recognized by B K - The algorithms used to build B M and B K can be found in (3). 

The automaton intersection B n is obtained by computing the product of Bk by Bl- By construction 
all states of Bk have to be final. Intuitively any infinite path over the Kripke structure must be recognized 
by Bk- This case allows to use a simpler version of the general Biichi automata product. 

Definition 8 (B K x B~£). The product ofB K = (£, Q, Qu A, Q)byB~£ = (I, Q\ Q' h A', F) is defined as 

(L,QxQ\ QiXQ'i, A x> QxF) 

where A x is the set of transitions {qK^L) ' Wki^l) suc ^ Qk Qk * s a transition of Bk and 
qi — > q L is a transition of Bl. Moreover, the transition is only valid if the intersection between the 
languages of Ak and Al is non empty as expected by the satisfiability of the R-LTL atomic formula. 

Finally the emptiness of the language Jz?(i?n) can be checked using the standard algorithm based on 
depth first search to check if final states are reachable. 

Example 3. To illustrate the approach, we propose to check the formula P = G({f(a)} =^> X{ < g(a)}) 
on example\2\ The automaton Bl (fig.^ recognizes the negation of the formula P expressed as F({f(a)} A 
X-i{g(a)}) and Bk (fig- recognizes the all behaviors of the Kripke structure K2 (fig. EJ). The notation 
A a denotes the tree automaton such that its language is described by a (A^ g r a ^ recognizes the com- 
plement of the language J£(A g ( a \) and A* recognizes all term in £?(^)). Figure® shows the result of 
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intersection B n between Bk and B^. Only reachable states and valid transitions (labeled by non empty 
tree automata intersection) are showed. Since no reachable states ofB n are final, its language is empty. 
It means that all behaviors ofK-i satisfy P : the only successor of f (a) for the relation -~*4g 2 is g(a). 



A, A, 




Figure 5: Automaton^ Figure 6: Automaton B n 



6 Conclusion, Discussion 

In this paper, we show how to improve the tree automata completion mechanism to keep the ordering 
between reachable terms. This ordering was lost in the original algorithm [5]. Another contribution is 
the mechanism making it possible to prove LTL-like temporal properties on such abstractions of sets 
of reachable terms. The work presented here only deals with finite state systems and exact tree au- 
tomata completion results. Future plans are to extend this result so as to prove temporal properties on 
over-approximations of infinite state systems. A similar objective has already been tackled in [8]. How- 
ever, this was done in a pure rewriting framework where abstractions are more heavily constrained than 
in tree automata completion |5]. Hence, by extending LTL formula checking on tree automata over- 
approximations, we hope to ease the verification of temporal formula on infinite state systems. 
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